There is no hiding the source (and use SSL while you’re at it)

Security through obscurity is never a good thing and will always be broken. We can see this with the iPhone’s encrypted AppStore binaries. Once the phone is jailbroken, it is trivial to decrypt the apps; you simply run the program with gdb and set a breakpoint after the decryption software has run. Viola! you have the decrypted app. The virus writers do a much better job at this.

Recently I downloaded a Firefox plugin (I know, nothing to do with the iPhone, but illustrates my point) which required paid registration to gain access to all the features. I pulled up wireshark and noticed that every time I started Firefox it would query the companies servers to see if the license was valid. The silly part was, however, that all the queries ran over traditional http (no encryption). It would be trivial to change the hosts file on my computer so that their domain was redirected somewhere else. Perhaps to a server that I controlled that would tell the program that the license was valid.

This is not the worst part, however. In the ~/.mozilla/firefox/profile.default/extensions/addondirectory (not sure where it is on Windows) directory I had access to all the javascript which did the queries to see if the registration was valid. A simple modification of two or three lines of code to make the server response a static “VALID” is all it would have taken.

Why do I bring this all up? First of all any iPhone app developer who thinks no one will have access to the files on the device is obviously wrong. Hard coded passwords, registration numbers/processes, etc are all a bad idea. Second, of all the third party apps I’ve tested that use network connections to push out the user’s recent score in a game, download the high score list, etc, none of them use SSL. This is a bad idea because using MITM techniques I could modify the packets and no one would be able to detect that. Also, let’s say there was a buffer overflow in the code that parses the high score list. Any exploit could be thwarted if the connection were SSL and proper certificate checking were performed. Instead, however, all an attacker would have to do is MITM the host and inject the exploit when the high score list comes back from the server.